Solved: Re: Internet on my laptop stops when on vpn

VikasA · ‎03-29-2020

Hi Team,

I have reserved sandbox for virl and when I connect vpn , I get 10.10.20.x ip as my dns but that ip is not able to resolve public domains. When I manually update dns as 8.8.8.8 , I still cant resolve dns with ping -a google.com but I can resolve it with nslookup google.com.

Can you check dns provided in this lab?

I cant give output of these commands as my internet goes when I am on that vpn.

VikasA · ‎03-30-2020

My issue is solved after disabling ipv6 on my local internet connection. nslookup was pointing to my lan connection ipv6 dns and somehow cisco vpn connection was not able to route dns traffic to it. Below article can help understand why and when we can disable ipv6 settings for our adapter. Hope this helps someone like me in future. Thanks @bigevilbeard for sticking with me.

Link - https://proprivacy.com/vpn/guides/disable-ipv6

View solution in original post

bigevilbeard · ‎03-30-2020

Double click on the AnyConnect icon in the system tray. Click the 'cog' bottom left, select 'VPN' and then the 'Route details' tab. What does it show?

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

VikasA · ‎03-30-2020

See attached image for split tunnel options. I also tried to traceroute 8.8.8.8 it goes out through my internet connection. May be split dns is not configured when vpn is setup by cisco? Below are some outputs.Let me know if you need sandbox info.

C:\Users\vikas>ping -a google.com
Ping request could not find host google.com. Please check the name and try again.

C:\Users\vikas>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.10.20.100

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** UnKnown can't find google.com: Non-existent domain

-----------------------------------------------------------------------------------

VPN connection ipconfig

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . : abc.inc
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.8.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.10.20.100
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : in.mycompany.com ----> changed this to hide company info
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-LM
Physical Address. . . . . . . . . : F8-B4-6A-92-AE-AE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

bigevilbeard · ‎03-30-2020

As far as i know, the sandbox vpn does split-tunnel, I am not a windows user for many years, but recall there was a setting in windows - http://eyonic.blogspot.com/2016/06/how-to-enable-vpn-split-tunneling-in.html

Hope this helps

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

VikasA · ‎03-30-2020

I dont see any output for get-vpnconnection command in powershell. I think split tunneling is still working fine, see trace below it follows my local internet for public ip. What I suspect here is split-dns is not configured by cisco when authenticating me on cisco vpn(instead all dns traffic is tunnelled into cisco network, may be I am wrong). Attached screenshot of advance internet properties. I will try to connect from windows subsystem for linux on my pc to rule out issue with windows.

PS C:\WINDOWS\system32> tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 172.20.10.1
2 * * * Request timed out.
3 48 ms 45 ms 38 ms 192.168.126.1
4 * * * Request timed out.
5 52 ms 62 ms 39 ms 118.185.45.78
6 58 ms 44 ms 43 ms 74.125.48.70
7 * * * Request timed out.
8 59 ms 41 ms 43 ms 72.14.239.235
9 61 ms 38 ms 50 ms 8.8.8.8

Trace complete.
PS C:\WINDOWS\system32> tracert -d google.com
Unable to resolve target system name google.com.
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-VpnConnection -AllUserConnection
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> nslookup -debug google.com 10.10.20.100
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
Server: UnKnown
Address: 10.10.20.100

DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
google.com, type = A, class = IN

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
google.com, type = AAAA, class = IN

------------
*** UnKnown can't find google.com: Non-existent domain
PS C:\WINDOWS\system32>

bigevilbeard · ‎03-30-2020

If this helps i am connected to the SD-WAN Reserved Sandbox from my home ISP (BT)

(venv) STUACLAR-M-R6EU:~ stuaclar$ ssh admin@10.10.20.90
viptela 18.3.1.1

admin@10.10.20.90's password:
Last login: Mon Mar 30 17:53:32 2020 from 192.168.97.1
Welcome to Viptela CLI
admin connected from 192.168.97.1 using ssh on vmanage-01
vmanage-01#

(venv) STUACLAR-M-R6EU:~ stuaclar$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  bthomehub.home (192.168.1.254)  10.159 ms  12.495 ms  8.388 ms
 2  * * *
 3  * * *
 4  31.55.187.184 (31.55.187.184)  20.357 ms
    31.55.187.180 (31.55.187.180)  11.564 ms
    31.55.187.184 (31.55.187.184)  41.612 ms
 5  core2-hu0-8-0-5.southbank.ukcore.bt.net (195.99.127.186)  44.662 ms
    core1-hu0-6-0-6.southbank.ukcore.bt.net (213.121.192.72)  39.962 ms
    195.99.127.224 (195.99.127.224)  59.635 ms
 6  194.72.16.64 (194.72.16.64)  46.286 ms
    194.72.16.102 (194.72.16.102)  11.156 ms
    peer8-et-7-0-2.telehouse.ukcore.bt.net (194.72.16.156)  10.917 ms
 7  195.99.126.137 (195.99.126.137)  11.528 ms
    109.159.253.189 (109.159.253.189)  11.449 ms
    109.159.253.191 (109.159.253.191)  16.121 ms
 8  74.125.242.65 (74.125.242.65)  12.767 ms * *
 9  dns.google (8.8.8.8)  11.596 ms  10.934 ms  12.823 ms

(venv) STUACLAR-M-R6EU:~ stuaclar$ nslookup google.com
Server:		192.168.1.254
Address:	192.168.1.254#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.213.14

(venv) STUACLAR-M-R6EU:~ stuaclar$ scutil --dns | grep nameserver
  nameserver[0] : 192.168.1.254
  nameserver[0] : 10.10.20.100
  nameserver[0] : 10.10.20.100
  nameserver[0] : 192.168.1.254
  nameserver[0] : 10.10.20.100


(venv) STUACLAR-M-R6EU:~ stuaclar$ nslookup -debug google.com 10.10.20.100
;; connection timed out; no servers could be reached

(venv) STUACLAR-M-R6EU:~ stuaclar$ nslookup -debug google.com 192.168.1.254
Server:		192.168.1.254
Address:	192.168.1.254#53

------------
    QUESTIONS:
	google.com, type = A, class = IN
    ANSWERS:
    ->  google.com
	internet address = 216.58.213.14
	ttl = 300
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:	google.com
Address: 216.58.213.14

(venv) STUACLAR-M-R6EU:~ stuaclar$ ping -a google.com
PING google.com (216.58.213.14): 56 data bytes
64 bytes from 216.58.213.14: icmp_seq=0 ttl=54 time=12.055 ms
64 bytes from 216.58.213.14: icmp_seq=1 ttl=54 time=13.010 ms
64 bytes from 216.58.213.14: icmp_seq=2 ttl=54 time=13.838 ms
64 bytes from 216.58.213.14: icmp_seq=3 ttl=54 time=12.384 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.055/12.822/13.838/0.680 ms

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

VikasA · ‎03-30-2020

My issue is solved after disabling ipv6 on my local internet connection. nslookup was pointing to my lan connection ipv6 dns and somehow cisco vpn connection was not able to route dns traffic to it. Below article can help understand why and when we can disable ipv6 settings for our adapter. Hope this helps someone like me in future. Thanks @bigevilbeard for sticking with me.

Link - https://proprivacy.com/vpn/guides/disable-ipv6

bigevilbeard · ‎03-31-2020

Awesome!

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io